The difference between static analysis and code review

April 9, 2013

Both static analysis and code review are methods to find errors and vulnerabilities in source code without explicitly executing the program being examined.

Code review is usually understood as a relatively regular examination of a source code fragment performed jointly by two or more developers, which may take place both in a semi-formal way or as a formal certification. Code review may also be a part of pair programming.

Static code analysis in most cases implies usage of special tools that automatically scan the source code to find out if it contains any of the known formal bug patterns that may need to be inspected by a developer. Unlike code review, automation makes static analysis in fact unlimited by the size of the code to be checked. However, static analysis results still need to be studied by developers to distinguish between genuine errors and false positives which are inevitable with this analysis approach.

Although the notions of code review and static analysis are usually separated, they may sometimes intersect and even be viewed as mutually-derivative methods that complement each other. An example of this is joint code review performed by several developers for separate code fragments pointed out in the report of a static analyzer that has carried out analysis of the whole project before.